Port Mirroring question (iptables -tee)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

orutra

New Around Here
I have been doing hard testing on port mirroring wit iptables -tee. My starting point has been the related topics in this forum (thanks!). My intention is to capture (mirror) all traffic from one host (RPi 192.168.1.99) to internet to a testing box (ubuntu 192.168.1.100).

Usually this is done with iptables -tee command affecting the 'mangle' table for PREROUTING and POSTROUTING chains, to clone incoming and outgoing packets.
iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.1.100
iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.100

In my testing, I have discovered that the iptables rules must be set carefully, in order to avoid duplicating packets (if we don't specify source/destination ip's, the packets from LAN to internet will be cloned by both PRE and POSTROUTING rules, and since both have the same source ip (192.168.1.99 in my test) there are DUP packets in capture (the answers in this forum are correct, because they specify src ip address in PRE- rule and dst ip in POST- rule, so, no DUP's).

My problem is that, when performing the capture in the gateway box, only the initial 3-way handshake TCP connection is captured. Later, I have learnt that this is because conntrack is in action.

I have tested doing the capture in mangle and raw tables in PREROUTING, but the behavior is the same. I had expected, that clonning the packets at raw table of prerouting, all traffic would be cloned, but is not.

My question is: Is this behavior what is being expected?, that is, Conntrack takes precedence over iptables, and once a conntrack is saved, no traffic transverses iptables? If so, how can clone all traffic to the testing box?

I attach a image capture from the testing box of a web request from the RPi to a web page, with the following iptables rules, note that all traffic is SYN /ACK (also traffic to google is captured, due to using Chromium, but it is also SYN /ACK)
iptables -t raw -A PREROUTING -s 192.168.1.99 -j TEE --gateway 192.168.1.100
iptables -t raw -A PREROUTING -s 217.160.0.65 -j TEE --gateway 192.168.1.100


--->PREROUTING------------------>[ROUTE]--->FWD---------->POSTROUTING-------------->
1st contrack or raw??
2nd contrack or raw??
3rd mangle
4th nat

Thanks!
upload_2020-1-10_12-31-14.png
 

ColinTaylor

Part of the Furniture
Disable hardware acceleration and you should see the packets. If you still have problems I suggest you try using these commands with the Wireshark filter set to ip.addr == 217.160.0.65
Code:
modprobe xt_TEE
iptables -t mangle -A PREROUTING  -s 192.168.1.99 -j TEE --gateway 192.168.1.100
iptables -t mangle -A POSTROUTING -d 192.168.1.99 -j TEE --gateway 192.168.1.100
 

orutra

New Around Here
Thank you so much!!!!

Disabling hardware acceleration (NAT acceleration - CTF) did the trick!!. All packets are cloned and captured by wireshark.

I should have read something about HW acceleration, now, that I have done, everything is clear. Thank you very much for your help and support.

I attach the capture with exactly the same test that I made in my previous post (I have hidden my public ip, since I am capturing the webserver responses at prerrouting level)

upload_2020-1-11_18-55-21.png
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top